Malicious PyPI Package - LiteLLM Supply Chain Compromise
A malicious supply chain attack has been discovered in the Python Package Index package litellm version 1.82.8. The compromised package contains a malicious .pth file that executes automatically when the Python interpreter starts, without requiring explicit import. This file, located in site-packages/, exfiltrates sensitive information including environment variables, SSH keys, and cloud credentials to an attacker-controlled server. The payload is double base64-encoded to evade basic static analysis. PyPI administrators have quarantined the project to limit its spread. Users are advised to check for the malicious file, rotate all potentially exposed credentials, and audit their PyPI publishing process. The attack is attributed to TeamPCP and is actively exploited in the wild.
AI Analysis
Technical Summary
The LiteLLM supply chain compromise involves a malicious version (1.82.8) of the litellm package published on PyPI, the official Python package repository. The attacker inserted a malicious .pth file within the package's site-packages directory. Unlike typical Python modules, .pth files are executed automatically by the Python interpreter upon startup, even if the package is not explicitly imported by the user. This stealthy execution mechanism allows the attacker to run code immediately when Python starts. The malicious .pth file contains a payload that collects sensitive information from the victim's environment, including environment variables, SSH private keys, and cloud service credentials. To avoid detection by basic static analysis tools, the payload is double base64-encoded, requiring decoding at runtime to reveal the malicious code. The stolen data is exfiltrated to attacker-controlled infrastructure, specifically domains such as checkmarx.zone and models.litellm.cloud. The attack is attributed to the threat actor group TeamPCP and is actively exploited in the wild. PyPI administrators responded by quarantining the litellm project to prevent further downloads. This incident highlights the risks inherent in software supply chains, especially in open-source ecosystems where malicious code can be introduced into widely used packages. The attack leverages multiple MITRE ATT&CK techniques including user execution (T1204.002), credential access (T1555, T1588.001, T1552.001), command and scripting interpreter abuse (T1059.006), obfuscated files or information (T1027.002), and command and control over web protocols (T1071.001).
Potential Impact
This supply chain compromise poses a significant risk to organizations and developers using the litellm package or its dependencies. The automatic execution of malicious code upon Python interpreter startup means that even indirect usage of the package can lead to credential theft. Exfiltration of environment variables, SSH keys, and cloud credentials can lead to unauthorized access to critical infrastructure, cloud environments, and internal systems. This can result in data breaches, lateral movement within networks, and potential deployment of further malware or ransomware. The stealthy nature of the attack, including payload obfuscation and use of .pth files, complicates detection and response. Organizations relying on Python for development, automation, or cloud operations are at risk, especially those with automated deployment pipelines that may pull dependencies without thorough vetting. The incident also undermines trust in the PyPI ecosystem and highlights the need for rigorous supply chain security practices. Although PyPI quarantined the package, any systems that installed the compromised version remain vulnerable until remediation steps are taken.
Mitigation Recommendations
1. Immediately audit all Python environments for the presence of the malicious .pth file within site-packages directories, especially in installations of litellm version 1.82.8. 2. Remove the compromised package and any related malicious files from affected systems. 3. Rotate all potentially exposed credentials, including SSH keys, cloud service credentials, and environment variables that may have been compromised. 4. Implement strict dependency management policies, including verifying package integrity via checksums or signatures before installation. 5. Use tools that monitor and alert on unexpected .pth files or unusual Python interpreter startup behaviors. 6. Employ runtime detection solutions that can identify suspicious outbound network connections to known malicious domains such as checkmarx.zone and models.litellm.cloud. 7. Educate development and DevOps teams on supply chain risks and encourage the use of private package repositories or mirrors with strict vetting. 8. Regularly audit PyPI publishing processes and credentials to prevent unauthorized package uploads. 9. Consider adopting Python package security tools that scan for malicious code or unusual package contents before deployment. 10. Monitor threat intelligence feeds for updates on TeamPCP activities and related indicators of compromise.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Netherlands, Japan, South Korea, India
Indicators of Compromise
- url: http://checkmarx.zone/raw
- domain: checkmarx.zone
- domain: models.litellm.cloud
Malicious PyPI Package - LiteLLM Supply Chain Compromise
Description
A malicious supply chain attack has been discovered in the Python Package Index package litellm version 1.82.8. The compromised package contains a malicious .pth file that executes automatically when the Python interpreter starts, without requiring explicit import. This file, located in site-packages/, exfiltrates sensitive information including environment variables, SSH keys, and cloud credentials to an attacker-controlled server. The payload is double base64-encoded to evade basic static analysis. PyPI administrators have quarantined the project to limit its spread. Users are advised to check for the malicious file, rotate all potentially exposed credentials, and audit their PyPI publishing process. The attack is attributed to TeamPCP and is actively exploited in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The LiteLLM supply chain compromise involves a malicious version (1.82.8) of the litellm package published on PyPI, the official Python package repository. The attacker inserted a malicious .pth file within the package's site-packages directory. Unlike typical Python modules, .pth files are executed automatically by the Python interpreter upon startup, even if the package is not explicitly imported by the user. This stealthy execution mechanism allows the attacker to run code immediately when Python starts. The malicious .pth file contains a payload that collects sensitive information from the victim's environment, including environment variables, SSH private keys, and cloud service credentials. To avoid detection by basic static analysis tools, the payload is double base64-encoded, requiring decoding at runtime to reveal the malicious code. The stolen data is exfiltrated to attacker-controlled infrastructure, specifically domains such as checkmarx.zone and models.litellm.cloud. The attack is attributed to the threat actor group TeamPCP and is actively exploited in the wild. PyPI administrators responded by quarantining the litellm project to prevent further downloads. This incident highlights the risks inherent in software supply chains, especially in open-source ecosystems where malicious code can be introduced into widely used packages. The attack leverages multiple MITRE ATT&CK techniques including user execution (T1204.002), credential access (T1555, T1588.001, T1552.001), command and scripting interpreter abuse (T1059.006), obfuscated files or information (T1027.002), and command and control over web protocols (T1071.001).
Potential Impact
This supply chain compromise poses a significant risk to organizations and developers using the litellm package or its dependencies. The automatic execution of malicious code upon Python interpreter startup means that even indirect usage of the package can lead to credential theft. Exfiltration of environment variables, SSH keys, and cloud credentials can lead to unauthorized access to critical infrastructure, cloud environments, and internal systems. This can result in data breaches, lateral movement within networks, and potential deployment of further malware or ransomware. The stealthy nature of the attack, including payload obfuscation and use of .pth files, complicates detection and response. Organizations relying on Python for development, automation, or cloud operations are at risk, especially those with automated deployment pipelines that may pull dependencies without thorough vetting. The incident also undermines trust in the PyPI ecosystem and highlights the need for rigorous supply chain security practices. Although PyPI quarantined the package, any systems that installed the compromised version remain vulnerable until remediation steps are taken.
Mitigation Recommendations
1. Immediately audit all Python environments for the presence of the malicious .pth file within site-packages directories, especially in installations of litellm version 1.82.8. 2. Remove the compromised package and any related malicious files from affected systems. 3. Rotate all potentially exposed credentials, including SSH keys, cloud service credentials, and environment variables that may have been compromised. 4. Implement strict dependency management policies, including verifying package integrity via checksums or signatures before installation. 5. Use tools that monitor and alert on unexpected .pth files or unusual Python interpreter startup behaviors. 6. Employ runtime detection solutions that can identify suspicious outbound network connections to known malicious domains such as checkmarx.zone and models.litellm.cloud. 7. Educate development and DevOps teams on supply chain risks and encourage the use of private package repositories or mirrors with strict vetting. 8. Regularly audit PyPI publishing processes and credentials to prevent unauthorized package uploads. 9. Consider adopting Python package security tools that scan for malicious code or unusual package contents before deployment. 10. Monitor threat intelligence feeds for updates on TeamPCP activities and related indicators of compromise.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.truesec.com/hub/blog/malicious-pypi-package-litellm-supply-chain-compromise"]
- Adversary
- TeamPCP
- Pulse Id
- 69c3bb2520934c9e0b4e5dca
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://checkmarx.zone/raw | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincheckmarx.zone | — | |
domainmodels.litellm.cloud | — |
Threat ID: 69c3ee28f4197a8e3b53b8b3
Added to database: 3/25/2026, 2:16:08 PM
Last enriched: 3/25/2026, 2:31:06 PM
Last updated: 3/26/2026, 5:37:00 AM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.